1more virus Removal Guide
What is 1more ransomware?
1more ransomware is a malicious Windows program whose goal is to extort money from users
1more ransomware is a malicious program made by cybercriminals for extortion purposes
1more ransomware is a ransomware-type virus that targets users of Windows operating systems. Ransomware is one of the most devastating computer infections out there, as it locks all personal files on the machine and then demands ransom for decryption software, which is not even guaranteed to work.
In the case of the 1more virus, a combination of RSA and AES encryption algorithms is used to lock all data on the system. After this process is finished, victims would find that all their files have been stripped of their original icons, and a special extension is appended to each of them – “.[ID].firstname.lastname@example.org.”
If you tried to open any of the files, you wouldn't be able to, regardless of which application you would attempt to open it with – Windows would simply deliver an error that claims the type of file can't be opened. While data is encrypted, it is not corrupted, and cybercriminals are offering a decryptor – not for free, of course.
In the ransom note unlock-info.txt, which is delivered shortly after malware finishes its job, crooks claim that users have to pay ransom in bitcoin. For communication purposes, they provide two contact addresses – email@example.com and firstname.lastname@example.org, although we do not recommend writing emails to hackers, as they can never be trusted.
First detected at the end of July 2022, this malware is a member of the VoidCrypt/Void ransomware family, with numerous releases before this one – Linda, Moonshadow, and Gilfillan are just a few examples we have already covered. As usual, we will provide more details about malware's operation and guide you through its removal and data recovery process.
|Type||Ransomware, file-locking virus|
|File Recovery||The only secure way to restore files is by using data backups. If such is not available or were encrypted as well, options for recovery are minimal – we provide all possible solutions below|
|Malware removal||Disconnect the computer from the network and internet and then perform a full system scan with SpyHunter 5Combo Cleaner security software|
|System fix||Once installed on the system, malware might seriously damage some system files, resulting in crashes, errors, and other stability issues. You can employ ReimageIntego PC repair to fix any of such damage automatically by replacing system corruption|
The ransom note and what to expect
A ransom note is particularly important to cybercriminals, as it delivers all the crucial information which contains contact details, which increases the chance of victims paying the ransom. As a general rule, the note is either placed on the desktop or even opens automatically after data encryption is finished.
In this case, users are provided a note which is very typical of VoidCrypt versions and reads as follows:
All your files have been encrypted!
All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail; email@example.com Write this ID in the title of your message : CW-SQ4539107682
In case of no answer in 24 hours write us to theese e-mails: firstname.lastname@example.org
You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files.
Free decryption as guarantee
Before paying you can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)
How to obtain Bitcoins
The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price.
Also you can find other places to buy Bitcoins and beginners guide here:
It is not surprising that 1more ransomware authors are offering users the test decryption service. By doing so, they attempt to win users' trust and increase the chances of them paying in the hopes of retrieving their data.
1more ransomware delivers the ransom note soon after it finishes data encryption
While there have been plenty of cases where users actually received a working decryptor from cybercriminals behind ransomware, there is never a guarantee that it would happen to you. Therefore, paying the ransom is relatively risky and is not recommended by security researchers and the authorities. Instead, we recommend proceeding with malware removal and alternative methods of data recovery.
Step 1. Remove malware
Most users who get infected with ransomware straight out panic once they realize that their files can no longer be opened and used. While the reaction is understandable, it will not solve anything, as the infection has already occurred. Due to this panic state, some victims may make mistakes when dealing with the situation, which may lead to even more damage and permanent data loss. Therefore, it is important to take the correct steps in the correct order.
Often, cybercriminals establish a remote connection with the affected Windows machine with the so-called Command & Control server. Communication happens over the internet, so it is important that the device is disconnected from any networked connections. Here's how to do that quickly and efficiently:
- Type in Control Panel in Windows search and press Enter
- Go to Network and Internet
- Click Network and Sharing Center
- On the left, pick Change adapter settings
- Right-click on your connection (for example, Ethernet), and select Disable
- Confirm with Yes.
As soon as the network connection is severed, the attackers can no longer communicate with the affected device, which is a good time to begin 1more ransomware removal. The only way to effectively eliminate all the malicious files and the infection from the system is by performing a full system scan with powerful anti-malware software, such as SpyHunter 5Combo Cleaner or Malwarebytes.
In some cases, malware may start tampering with the deletion process, interfering with security software's operation. If that is the case, you should access Safe Mode and perform the full system scan from there. If you need help reaching Safe Mode, you can check the instructions at the bottom of this post.
Data recovery explained
There are two types of people when it comes to dealing with ransomware – those who think that their files are permanently lost and those who believe that they can recover everything as soon as they get rid of the malware by performing a full system scan. None of these groups of people are right.
First of all, data affected by fully-working ransomware is never corrupted but rather locked. Imagine it as a password that is unique to every victim and is extremely complex, consisting of randomly-generated alphanumeric characters. This makes it almost impossible for any computer currently in existence to successfully computer the correct password. In other words, only cybercriminals have access to the password and use this to their advantage.
Unfortunately, running a full system scan with security software would not result in data recovery, as the files would remain locked. At the same time, paying criminals is highly risky and may add to damages already suffered – losing money on top of locked files is a disaster. Unfortunately, there are plenty of users who suffer from these consequences.
Therefore, we recommend you employ alternative solutions for this problem – try data recovery software first:
- Download Data Recovery Pro.
- Double-click the installer to launch it.
- Follow on-screen instructions to install the software.
- As soon as you press Finish, you can use the app.
- Select Everything or pick individual folders which you want the files to be recovered from.
- Press Next.
- At the bottom, enable Deep scan and pick which Disks you want to be scanned.
- Press Scan and wait till it is complete.
- You can now pick which folders/files to recover – don't forget you also have the option to search by the file name!
- Press Recover to retrieve your files.
The above method may not always work, or at least not for all personal files. Unfortunately, the options are relatively limited at this point, and your best bet is to wait for a free decryptor that could be created by security researchers from security vendors. These links could help you find a decrytpion tool, although keep in mind that this scenario is not guaranteed and only possible if a flaw is found in ransomware's encryption process or if attackers' servers are seized by authorities.
- No More Ransom Project
- Free Ransomware Decryptors by Kaspersky
- Free Ransomware Decryption Tools from Emsisoft
- Avast decryptors
Other useful tips
Ransomware is relatively unique when it comes to its operation. Data stealers, backdoors, and other similar infections operate silently so that users would not be able to delete them easily. Unlike these, ransomware does not hide its presence as soon as it finishes the encryption process.
Regardless, malware can still cause various issues when it comes to system operation, so we recommend running a scan with a powerful PC repair tool ReimageIntego, as it can find and fix these irregularities. Otherwise, after malware removal, you may face stability issues such as system crashes with BSODs, errors, and other failures.
We also recommend reporting the ordeal to your local authorities, as it can increase the chances of cybersecurity researchers creating a decryption tool. Also, don't forget to create working backups of your files to avoid ransomware effects in the future. Most importantly, ensure you are running SpyHunter 5Combo Cleaner, Malwarebytes, or another powerful anti-malware to prevent intrusions.
Getting rid of 1more virus. Follow these steps
Create data backups to avoid file loss in the future
One of the many countermeasures for home users against ransomware is data backups. Even if your Windows get corrupted, you can reinstall everything from scratch and retrieve files from backups with minimal losses overall. Most importantly, you would not have to pay cybercriminals and risk your money as well.
Therefore, if you have already dealt with a ransomware attack, we strongly advise you to prepare backups for future use. There are two options available to you:
- Backup on a physical external drive, such as a USB flash drive or external HDD.
- Use cloud storage services.
The first method is not that convenient, however, as backups need to constantly be updated manually – although it is very reliable. Therefore, we highly advise choosing cloud storage instead – it is easy to set up and efficient to sustain. The problem with it is that storage space is limited unless you want to pay for the subscription.
Using Microsoft OneDrive
OneDrive is a built-in tool that comes with every modern Windows version. By default, you get 5 GB of storage that you can use for free. You can increase that storage space, but for a price. Here's how to setup backups for OneDrive:
- Click on the OneDrive icon within your system tray.
- Select Help & Settings > Settings.
- If you don't see your email under the Account tab, you should click Add an account and proceed with the on-screen instructions to set yourself up.
- Once done, move to the Backup tab and click Manage backup.
- Select Desktop, Documents, and Pictures, or a combination of whichever folders you want to backup.
- Press Start backup.
After this, all the files that are imported into the above-mentioned folders will be automatically backed for you. If you want to add other folders or files, you have to do that manually. For that, open File Explorer by pressing Win + E on your keyboard, and then click on the OneDrive icon. You should drag and drop folders you want to backup (or you can use Copy/Paste as well).
Using Google Drive
Google Drive is another great solution for free backups. The good news is that you get as much as 15GB for free by choosing this storage. There are also paid versions available, with significantly more storage to choose from.
You can access Google Drive via the web browser or use a desktop app you can download on the official website. If you want your files to be synced automatically, you will have to download the app, however.
- Download the Google Drive app installer and click on it.
- Wait a few seconds for it to be installed.
- Now click the arrow within your system tray – you should see Google Drive icon there, click it once.
- Click Get Started.
- Enter all the required information – your email/phone, and password.
- Now pick what you want to sync and backup. You can click on Choose Folder to add additional folders to the list.
- Once done, pick Next.
- Now you can select to sync items to be visible on your computer.
- Finally, press Start and wait till the sync is complete. Your files are now being backed up.
Report the incident to your local authorities
Ransomware is a huge business that is highly illegal, and authorities are very involved in catching malware operators. To have increased chances of identifying the culprits, the agencies need information. Therefore, by reporting the crime, you could help with stopping the cybercriminal activities and catching the threat actors. Make sure you include all the possible details, including how did you notice the attack, when it happened, etc. Additionally, providing documents such as ransom notes, examples of encrypted files, or malware executables would also be beneficial.
Law enforcement agencies typically deal with online fraud and cybercrime, although it depends on where you live. Here is the list of local authority groups that handle incidents like ransomware attacks, sorted by country:
- USA – Internet Crime Complaint Center IC3
- United Kingdom – ActionFraud
- Canada – Canadian Anti-Fraud Centre
- Australia – ScamWatch
- New Zealand – ConsumerProtection
- Germany – Polizei
- France – Ministère de l'Intérieur
If your country is not listed above, you should contact the local police department or communications center.
Manual removal using Safe Mode
Manual removal guide might be too complicated for regular computer users. It requires advanced IT knowledge to be performed correctly (if vital system files are removed or damaged, it might result in full Windows compromise), and it also might take hours to complete. Therefore, we highly advise using the automatic method provided above instead.
Step 1. Access Safe Mode with Networking
Manual malware removal should be best performed in the Safe Mode environment.
Windows 7 / Vista / XP
- Click Start > Shutdown > Restart > OK.
- When your computer becomes active, start pressing F8 button (if that does not work, try F2, F12, Del, etc. – it all depends on your motherboard model) multiple times until you see the Advanced Boot Options window.
- Select Safe Mode with Networking from the list.
Windows 10 / Windows 8
- Right-click on Start button and select Settings.
- Scroll down to pick Update & Security.
- On the left side of the window, pick Recovery.
- Now scroll down to find Advanced Startup section.
- Click Restart now.
- Select Troubleshoot.
- Go to Advanced options.
- Select Startup Settings.
- Press Restart.
- Now press 5 or click 5) Enable Safe Mode with Networking.
Step 2. Shut down suspicious processes
Windows Task Manager is a useful tool that shows all the processes running in the background. If malware is running a process, you need to shut it down:
- Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
- Click on More details.
- Scroll down to Background processes section, and look for anything suspicious.
- Right-click and select Open file location.
- Go back to the process, right-click and pick End Task.
- Delete the contents of the malicious folder.
Step 3. Check program Startup
- Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
- Go to Startup tab.
- Right-click on the suspicious program and pick Disable.
Step 4. Delete virus files
Malware-related files can be found in various places within your computer. Here are instructions that could help you find them:
- Type in Disk Cleanup in Windows search and press Enter.
- Select the drive you want to clean (C: is your main drive by default and is likely to be the one that has malicious files in).
- Scroll through the Files to delete list and select the following:
Temporary Internet Files
- Pick Clean up system files.
- You can also look for other malicious files hidden in the following folders (type these entries in Windows Search and press Enter):
After you are finished, reboot the PC in normal mode.
Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from 1more and other ransomwares, use a reputable anti-spyware, such as ReimageIntego, SpyHunter 5Combo Cleaner or Malwarebytes
How to prevent from getting ransomware
Do not let government spy on you
The government has many issues in regards to tracking users' data and spying on citizens, so you should take this into consideration and learn more about shady information gathering practices. Avoid any unwanted government tracking or spying by going totally anonymous on the internet.
You can choose a different location when you go online and access any material you want without particular content restrictions. You can easily enjoy internet connection without any risks of being hacked by using Private Internet Access VPN.
Control the information that can be accessed by government any other unwanted party and surf online without being spied on. Even if you are not involved in illegal activities or trust your selection of services, platforms, be suspicious for your own security and take precautionary measures by using the VPN service.
Backup files for the later use, in case of the malware attack
Computer users can suffer from data losses due to cyber infections or their own faulty doings. Ransomware can encrypt and hold files hostage, while unforeseen power cuts might cause a loss of important documents. If you have proper up-to-date backups, you can easily recover after such an incident and get back to work. It is also equally important to update backups on a regular basis so that the newest information remains intact – you can set this process to be performed automatically.
When you have the previous version of every important document or project you can avoid frustration and breakdowns. It comes in handy when malware strikes out of nowhere. Use Data Recovery Pro for the data restoration process.